ACCOUNT
TAKEOVER
OBSERVATORY


A DECADE OF ACCOUNT TAKEOVER

This essay organizes a decade of large attacks directed at online accounts.

Account takeover (ATO) stands out in complaint data pulled from tweets.

Quick notes:

Written below is an investigation into a decade long backlog of potential incidents. Many of these incidents are already public and written about by journalists. This approach using Tweet data does not rely on previous journalism. Tweet data alone can signal date ranges with account related incidents and could uncover "missed" incidents.

Conclusions drawn from Tweet data carry a lot of caveats. The interpreting this data section should be useful if you plan on discussing this data. It may already address concerns about how tweet data should be considered.

Enjoy! You can find me @magoo if you have suggestions, feedback, or corrections.


CONTENTS

This Effort

Attack Indications by Industry


DATA

The below chart is a total summary of complaints on Twitter about accounts being hacked.

An example tweet:

"Oh no! Hey $company, My account is hacked!"

Simply put: That tweet would count as 1 event. This data is built from a search ranging back to the first tweet with the query:

my account hacked has:mentions -is:retweet

Simple time series analysis of this data brings up points worth investigating.

The red line indicates when COVID-19 was declared a global pandemic. An elevation seems to occur after this date for some (but not all) of the targets of ATO found in this data.

The post-pandemic increase in malicious online activity has already been observed by many. This data seems to agree. There is, of course, the possibility of other causes. I've added a red line to every chart for others to inspect at well.

Tweet data data also indicates where attacks are happen. The impact to individuals is often detailed. Links to the actual tweets are provided where elevations occur in the data, per target. You can also adjust Twitter searches as needed.


METHOD

I've used the Twitter Archive API to analyze tweets that suggest "my account is hacked" going as far back as Twitter will allow. This method produces interesting suggestions for incident research. I've focused on developing it here for public interest because there were interesting findings.

Interpreting this data

The following notes can help calibrate your sense of volume from these plots. Most notably, comparing one company to another is not really useful, nor is comparing 2020 to 2007.

This approach surfaces a whole lot of interesting account takeover trends. It's nowhere near authoritative of describing all account takeovers. The banking sector makes minimal appearance in this essay as a result. Modifications could capture it.

No valid largest attack claims come from these plots. Larger trends may be caused by a customer overlap with the Twitter user base. This may be why Instagram looks to have a lot of cases. It does not mean Instagram has "larger attacks" than others.

Twitter has grown in the timeframe this data was collected. So, some exponential growth with the whole dataset is assumed as well. This data could be normalized with Twitter's Active User data (and may be in the future!), but useful takeaways are already visible without doing this.

Tweets act as an unreliable narrator and many of the "trends" may be related to site outages or other confusion which I address in false positives below. This makes tweet data very ugly to check false positives on. Tweets do not act as great witness statements. As you'll see, large groups of tweets in a short period are worth digging through anyways.

As a result, I've made some opinionated decisions to increase signal, discussed next.

Many plots merge @ handles owned by a single entity. For example, Twitch is a combination of @twitch OR @twitchprime OR @twitchsupport. I've merged handles to create a company when I see activity inconsistently spread across them.

I removed false positives from k-pop, bieber, and really strange attacks that frequently indicated an incident was going on.

I require mentions (@'s) with has:mentions in each tweet so that I can clearly extract brand names without nicknames or misspellings. I've also removed retweets and replies from the data which removed a lot of "pile on" conversations with popular twitter users. Users were deduplicated by day to limit rage-tweeting and false trends by upset users within a single day. This will be a great follow up area for investigation.

Lastly, and most importantly:

There is an assumption to be made that people tweeting about being hacked are a subset of a larger hacked population. It's reasonable to consider the actually hacked population might be large if a group forms to complain on Twitter. As we'll see below, there are also cases where these trends are created by confused users (especially in website outages), but we will now discuss how that can be checked.

False Positives

The underlying tweet text allows us to check for actual attack activity. I've included links to high volume date ranges that would describe the account hackings going on to verify cases yourself.

Whenever there is an increase of tweets for a company, there must also be underlying tweets accompanying the trend that resemble the threat. Otherwise, the result may be user confusion due to an outage (I have noted many), a data breach disclosure (many), or a variety of other factors.

Lastly - simple searches for journalism in the timeframes with elevated activity will often offer an alternative cause for the peak. Often times, it is an (un)related data breach disclosure or a app/site outage.

This data has a lot of these false positives, but it also has great incident content.


THE ACCOUNT SECURITY LANDSCAPE

The following image is a broad, high level plot of what the data looks like. Each color is a different "target" (@mention) for tweets. Trending peaks are indicative of account takeover issues. Further inspection of the underlying tweets is needed to fully understand them or eliminate false positives.s

A few trends stand out quickly from this viewpoint: Netflix, Instagram, Playstation and Electronic Arts immediately get attention.

This plot serves as a starting point for analysis and is easier to breakdown per company, below.


SOCIAL

Primarily targeted for spam. Secondary, stored value or lateral movement into other accounts.

Includes: Instagram, Twitter, Facebook, LinkedIn, Snap, Discord

Twitter

Mostly spam, and a surprising XSS attack that hijacked accounts to deliver content.

Instagram

There's a steady stream of issues with 2017-03-28 and 2018-07-18 seeing trends peak with larger incidents. Mostly ATO with intent to spam. The quick, single day peaks are often outages that cause users to believe they are hacked. This effort considers these to be false positives and I've marked them below.

Facebook

Mostly spam. Some examples of stored payment instruments being used to purchase ads for scams and fraud. False positives whenever an outage appears. Facebook often appears when other services are targeted and a Facebook account is exploited to move laterally to it, so there are Facebook related issues with other targets (See: PUBG)

Additionally, significant overlap w/ Instagram complaints muddy this further.

Snap

Spam and money scams sent to contacts.

Discord

Looks like lots of discord phishing scams attempting to reach roblox accounts, and is worth looking for correlation.

LinkedIn

Hijacked accounts send spam, make connection requests to other users.


Gaming

Primarily targeted for virtual good theft. Secondary, access to beta games or game purchases.

Includes: Playstation, Electronic Arts, Blizzard, Guild Wars 2, Rockstar, Roblox, XBox Live, PUBG, Epic, Runescape, Mojang, Activision, Ubisoft, Nintendo, Riot, 2k Games, Valve, Team Adopt Me

Playstation

Playstation has a lot of fraudulent charges after taking over accounts. There are also virtual currency / goods fraud for a variety of games. The CISO at Sony posted this in the earlier part of this dataset. This suggests a weakness of this data as Twitter was less popular and saw less complaint chatter.

Electronic Arts

There is so much activity for FIFA that I am including a FIFA-only plot for comparison. This search seems to do well excluding FIFA as it may pertain to their Origin product, but I can't be sure.

EA (FIFA Only)

FIFA saw substantial virtual goods fraud between 2013-2015 with multiple ramp ups.

Blizzard

2012 saw a blip of account lockout complaints. More recently, a significant trend post-pandemic. I noticed phishing reminders from the official Blizzard CS about phishing during the recent window.

PUBG / Player Unknown's Battlegrounds

Many discuss their Facebook account being hacked, and leading to breach of their gaming account.

Guild Wars 2

A very large, early appearance in the data. About ~20 days of intense activity. This blog post published during the window, as well as this wiki.

Rockstar

Stolen Rockstar Social Club accounts. Journalism about the issue begins in April 2015.

Roblox

Roblox appears to have drastically increased post-pandemic.

XBox Live

FIFA fraud appears frequently, as well as point theft.

Epic

Mostly stored credit cards used to purchase V-Bucks in Fortnite on various platforms. Journalism here appeared before elevations in this data.

Runescape

Low level fraud in Runecape since 2010, large uptick in 2014, and peaks in 2017 and 2018.

Mojang

Account lockouts and virtual good deletions. Additionally, might be "OG" name theft fraud as name changes are forced, possibly to steal valuable usernames.

Activision

Account theft in Modern Warefare, a couple mentions that look like extortion / ransom.

Ubisoft

Attackers adding 2FA to uPlay accounts, lockouts.

Nintendo

Lots of overlap with PayPal, Epic Games (Fornite) and their digital currency (V-Bucks). Journalism here.

Riot

2k Games

Virtual goods fraud in NBA2k and WWE2k.

Valve

Many years of trends. Note that complaints are directed at Steam while parent company is Valve.

Team Adopt Me

This is a mod for Roblox. Virtual goods theft (virtual pets)


STREAMING

Primarily targeted to take over subscriptions. Secondary is dependent on features (Twitch has virtual currency, Youtube has content creation). (Please note that Netflix peaks on top of the COVID line, obscuring it)

Includes: Twitch, Netflix, Spotify, YouTube, Disney Plus, Hulu, Crunchy Roll

Netflix

Netflix has seen very subtle activity for a long time. Two very large attacks stand out, one immediately after the pandemic was declared. In each case, users complain about a support backlog. This is also the loudest attack in this data. The COVID pandemic may have exacerbated response times.

YouTube

YouTube is especially difficult to analyze due to the popularity of streamers discussing their hacked accounts and starting conversations with the keywords we've searched for. I've done my best to pull those out so that the chart has better signal and the links have better samples.

Twitch

A false positive in 2015 (due to a data breach disclosure), another subtle bump in 2018, and a clear incident between 2019-04-04 and 2019-06-27. Attacks look to be targeting virtual goods (Twitch "bits") from stored value or connected bank accounts, or sending gift subscriptions

Spotify

Probably the weirdest account takeover scheme in the bunch. Hacking accounts and "laundering" music by playing obscure soundtracks and collecting the affiliate payouts. This resulted in end-of-year playlists being incorrect, often tos weird results. Here are similar examples of "play" fraud.

A couple of events precede the uptick in complaints in Spotify's data at the end of 2015 and early 2016.

Complaints hit a new volume in 2017.

The following ranges look like false positives. The end of year wrap up seems to cause people to suddenly discuss (or discover) their previous experiences getting hacked.

Disney Plus

Disney Plus saw attacks almost immediately after launch.

Hulu

Account hijacks.

Crunchy Roll

Gaining access to anime.


MERCHANT

Primarily targeted for reshipping fraud and merchant scams.

Includes: StockX, Ebay, Amazon, Depop, Walmart, Next, Offerup

StockX

Two clear incidents involving a high volume of fraud with stored payment instruments and dropshipping. Of note, stockx disclosed an incident involved hashed passwords one month earlier. What is incredibly interesting, is this line in the post:

a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords;

Assuming password re-use, customers must have been allowed to revert their passwords, use other weak passwords, or there was credential theft (IE, phishing) elsewhere. More is discussed here, however, these events happen after this journalism.

Ebay

Similar to the other merchants: Fraudulent listings and purchases with stored payment instruments. Reshipping fraud.

Amazon

One of the most sharp start and end periods in this data. Really diverse issues. ``Review spam, seller / buyer fraud, gift card issues, list goes on.

Offerup

ATO'd accounts pushing vehicle scams.

Walmart

Mostly targeting a product called "Savings Catcher" to redeem points.

Next

Orders placed on ATO'd accounts.

Depop


FINANCIAL

Traditional payments fraud + money laundering.

Includes: Square, PayPal, Revolut, My Access Bank

Square

Square customer support jumps into a few of these threads and offers some insight. Cellular fraud is discussed a couple times too.

PayPal

PayPal is interesting as it is on the receiving end of many other targets of account hacking. PayPal is often the stored payment instrument that receives charges when other services are attacked. For instance, Nintendo.

Revolut

SMS phishing links sent to Revolut cardholders with some complaints of large financial losses.

My Access Bank

Social engineering over social media channels and and ATO fraud. Lots of scam victims.


EMAIL

Primarily targeted for spam. Secondary, lateral movement and account access.

Includes: GMail, Microsoft Outlook, Yahoo

Google / Alphabet / GMail

Microsoft Outlook

Outage on March 7 2017. Pretty consistently in this data, but no large events.

Yahoo

Spam references, similar to other email providers


DATING

Uncertain. Examples of catfishing and escort spam. Not cleraly presented in data, but another possible motive is money mule recruitment.

Includes: Plenty of Fish, OK Cupid

Plenty of Fish

Account lockouts with what seems to be some kind of catfishing fraud.

OK Cupid

Looks like account takeover leading to catfishing.


FOOD

Primarily hungry threat actors. Secondary, reward points fraud.

Includes: Dominos, Chipotle, Deliveroo, Skip the Dishes, Postmates, Caviar, Starbucks, Chick-fil-a, Buffalo Wild Wings, Door Dash

Dominos

Chipotle

Deliveroo

Skip The Dishes

Postmates

Caviar

Starbucks

Chick-fil-a

Food fraud, stealing rewards points.

Buffalo Wild Wings

Food Fraud. Theft of reward points.

Door Dash

Food fraud.


RIDE SHARING

Various forms of rider or driver fraud, money laundering, or purchased accounts for free rides.

Includes Uber, Lyft.

Uber

This is all pretty wild. Looks like driver and rider fraud with plenty of journalism covering the angles.

Lyft

Driver and rider accounts taken over. Customers see rides they didn't order to unknown destinations.


Other

Includes Fitbit, AT&T, Airbnb.

Airbnb

Three events over three years with charges to credit cards, bookings. Discussed here.

Fitbit

It's difficult to understand what may have been gathered from an attack on Fitbit accounts from the tweet data, but account details were changed and original owners were locked out.

AT&T


A big thanks to Brett Hoover and Suzanne Rose for their research assistance.